can we issue create ssl certificate under Root CA does not have Extended key use(Server Authentication)

Question

I have create one Root Certificate,Intermediate CA and SSl Certificate with below attribute.

Root Certificate:

Extended Key Usage (Client Authentication, TimeStamping)

Intermediate CA

Extended Key Usage (Server Authentication,Client Authenitcation TimeStamping)

SSL Certiticate.

Extended Key Usage (Server Authentication,Client Authenitcation TimeStamping)

I am getting below error in chrome(Img Attached) but same is working fine in firefox ,although i have added both Root and Intermediate CA in Microsoft trust store.

SSL Error

I did't include Server Authentication in Root Certificate as an extended key.Is there any way to create ssl certificate under this root .Please help

Answer 1

No. If a CA certificate (root or intermediate) contains an Extended Key Usage extension then issued certificates can only have a subset of those EKUs (unless the CA's EKU has the "any usage" EKU).

Generally a root certificate won't have the EKU extension (good for all purposes), and if the intermediate is owned by the same company it frequently won't have an EKU extension, either. If the intermediate CA is an issuance partnership then the issuing CA will frequently constrain the subordinate CA.

For example, the TLS certificate for www.microsoft.com (2018-06-05), where a delegated issuing CA agreement is used:

• www.microsoft.com
  • EKUs: TLS Server Auth, TLS Client Auth
• Microsoft IT TLS CA 4
  • EKUs: TLS Server Auth, TLS Client Auth, OCSP signing
• Baltimore CyberTrust Root
  • (no EKU extension)

Compare with www.wikipedia.org:

• *.wikipedia.org
  • EKUs: TLS Server Auth, TLS Client Auth
• GlobalSign Organization Validation CA - SHA256 - G2
  • (no EKU extension)
• GlobalSign Root CA
  • (no EKU extension)